Jul 28, 2025
OVERVIEW: This page walks you through the process of setting up a CI/CD pipeline using Jenkins to automate the code signing of Windows executables (.exe) with a GlobalSign Code Signing Certificate stored in Azure Key Vault. The pipeline uses AzureSignTool to apply the signature securely and efficiently. At the completion of this procedure, you will be able to configure Jenkins for CI/CD automation, integrate Azure Key Vault with AzureSignTool and automatically sign and verify your Windows executables. Learn more about Code Signing Certificate management and other frequently asked questions here. |
Jenkins is installed and accessible
GlobalSign Code Signing Certificate imported into Azure Key Vault
Windows build agent with AzureSignTool installed
A service principal with access to the Key Vault
GitHub repository containing your code and build artifacts (e.g., .exe, .dll)
Go to your GitHub repository.
Navigate to Settings > Webhooks.
Click Add webhook.
Complete the required fields with details.
IMPORTANT: The IP address shown in the image is from Jenkins server which can be changed. This setup triggers a Jenkins build every time code is pushed to the repository. |
To install the Azure Signtool make sure to have the latest .NET SDK installed, then open Administrator PowerShell and use the following command:
dotnet tool install --global AzureSignTool
Go to your Azure Key Vault > Access Policies.
Click + Add Access Policy.
Set the following permissions under Certificate Permissions:
• Get
• List
• Sign
• Verify
Assign the policy to your service principal or application registration.
Click Add > Save.
Under Triggers, select GitHub hook trigger for GITScm polling.
Note: This will ensure that the any changes that are happening in the GitHub repository will trigger the build in the Jenkins job.
pipeline { agent any environment { DOTNET_ROOT = "${tool 'dotnet-sdk'}" PATH = "${env.DOTNET_ROOT}/bin:${env.PATH}" WIN_SERVER_IP = "IP_ADDR" CREDS_ID = "CREDS_ID_VALUE" } triggers { githubPush() } stages { stage('Checkout') { steps { checkout([$class: 'GitSCM', branches: [[name: '*/main']], userRemoteConfigs: [[ url: 'https://github.com/PrashantGSIN/CodeSigningAutomation.git', credentialsId: 'CodeSigningAutomation' ]] ]) } } stage('Restore') { steps { sh 'dotnet restore' } } stage('Build') { steps { sh 'dotnet build -c Release' } } stage('Publish') { steps { sh 'dotnet publish -c Release -r win-x64 --self-contained true /p:PublishSingleFile=true' } } stage('Archive Executable') { steps { archiveArtifacts artifacts: '**/*.exe', fingerprint: true } } stage('Transfer Executable to Windows Server') { steps { sshagent(credentials: [CREDS_ID]) { sh """ scp -o StrictHostKeyChecking=no \ /var/lib/jenkins/workspace/CodeSigningAutomated/bin/Release/net9.0/win-x64/publish/HelloWorldApp.exe \ administrator@${WIN_SERVER_IP}:"C:/Users/Administrator/Desktop/" """ } } } stage('Create Signing Script on Windows Server') { steps { sshagent(credentials: [CREDS_ID]) { sh ''' # Create a more robust signing script ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo # Code Signing Script > C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Write-Host 'Setting up environment...' >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo \\\$env:PATH += ';C:\\Users\\Administrator\\.dotnet\\tools' >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Write-Host 'Starting code signing...' >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Write-Host 'Using AzureSignTool...' >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo AzuresignTool sign -kvu 'https://signingcode.vault.azure.net/' -kvc 'CodeSigningHSM' -kvi 'kvi_value' -kvs 'kvs_value' --azure-key-vault-tenant-id 'key_vault_tenant_id' -tr 'http://timestamp.globalsign.com/tsa/advanced' -td sha256 'C:\\Users\\Administrator\\Desktop\\HelloWorldApp.exe' >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Write-Host 'Signing process completed.' >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Write-Host 'Exit code:' \\\$LASTEXITCODE >> C:\\Users\\Administrator\\Desktop\\sign.ps1" ''' } } } stage('Sign Executable on Windows Server') { steps { sshagent(credentials: [CREDS_ID]) { sh ''' # Debug: Show the signing script content before execution ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Signing script content: && type C:\\Users\\Administrator\\Desktop\\sign.ps1" # Debug: Check if AzureSignTool is available ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Write-Host 'Checking AzureSignTool availability...'; try { \\\$env:PATH += ';C:\\\\Users\\\\Administrator\\\\.dotnet\\\\tools'; AzuresignTool --help | Select-Object -First 5; Write-Host 'AzureSignTool found ✓' } catch { Write-Host 'AzureSignTool not found ✗'; Write-Host 'Error:' \\\$_.Exception.Message }\\"" # Execute the signing script with verbose output ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -ExecutionPolicy Bypass -Command \\"Write-Host 'Starting code signing process...'; \\\$env:PATH += ';C:\\\\Users\\\\Administrator\\\\.dotnet\\\\tools'; Write-Host 'Updated PATH:' \\\$env:PATH; try { & 'C:\\\\Users\\\\Administrator\\\\Desktop\\\\sign.ps1' } catch { Write-Host 'Signing script execution failed:' \\\$_.Exception.Message }\\"" # Alternative: Run signing command directly for debugging ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -ExecutionPolicy Bypass -Command \\"Write-Host 'Attempting direct signing...'; \\\$env:PATH += ';C:\\\\Users\\\\Administrator\\\\.dotnet\\\\tools'; try { AzuresignTool sign -kvu 'https://signingcode.vault.azure.net/' -kvc 'CodeSigningHSM' -kvi '7f9e5afe-8d5a-475e-9447-49d3f02914d9' -kvs 'oir8Q~WJodlbcMvyktSbOMJQs2yiQbs4RXE3QcXq' --azure-key-vault-tenant-id 'caf959d5-9c81-416b-a133-ae88c20d857c' -tr 'http://timestamp.globalsign.com/tsa/advanced' -td sha256 'C:\\\\Users\\\\Administrator\\\\Desktop\\\\HelloWorldApp.exe' } catch { Write-Host 'Direct signing failed:' \\\$_.Exception.Message; Write-Host 'Exit code:' \\\$LASTEXITCODE }\\"" ''' } } } stage('Verify Code Signature') { steps { sshagent(credentials: [CREDS_ID]) { sh ''' ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Get-AuthenticodeSignature 'C:\\Users\\Administrator\\Desktop\\HelloWorldApp.exe' | Format-List\\"" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Write-Host 'Certificate Chain Verification:'; \\\$sig = Get-AuthenticodeSignature 'C:\\Users\\Administrator\\Desktop\\HelloWorldApp.exe'; if(\\\$sig.SignerCertificate) { Write-Host 'File is SIGNED'; Write-Host 'Signer:' \\\$sig.SignerCertificate.Subject; Write-Host 'Valid From:' \\\$sig.SignerCertificate.NotBefore; Write-Host 'Valid Until:' \\\$sig.SignerCertificate.NotAfter; if(\\\$sig.TimeStamperCertificate) { Write-Host 'Timestamped: YES' } else { Write-Host 'Timestamped: NO' } } else { Write-Host 'File is NOT SIGNED' }\\"" ''' } } } stage('Deploy Application') { steps { sshagent(credentials: [CREDS_ID]) { sh ''' # Create deployment directory ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "if not exist C:\\\\Apps\\\\HelloWorldApp mkdir C:\\\\Apps\\\\HelloWorldApp" # Stop existing service if running (ignore errors if service doesn't exist) ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "sc stop HelloWorldApp 2>nul || echo Service not running or doesn't exist" # Copy signed executable to deployment directory ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "copy C:\\\\Users\\\\Administrator\\\\Desktop\\\\HelloWorldApp.exe C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe /Y" # Create application configuration file ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo # HelloWorldApp Configuration > C:\\\\Apps\\\\HelloWorldApp\\\\config.txt" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Deployed on: %date% %time% >> C:\\\\Apps\\\\HelloWorldApp\\\\config.txt" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo Version: 1.0 >> C:\\\\Apps\\\\HelloWorldApp\\\\config.txt" # Create deployment script for easy management ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo @echo off > C:\\\\Apps\\\\HelloWorldApp\\\\run.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo echo Starting HelloWorldApp... >> C:\\\\Apps\\\\HelloWorldApp\\\\run.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe >> C:\\\\Apps\\\\HelloWorldApp\\\\run.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo pause >> C:\\\\Apps\\\\HelloWorldApp\\\\run.bat" # Test the deployed application ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe" ''' } } } stage('Create Windows Service (Optional)') { when { // Only run this stage if you want to create a Windows service expression { return true } // Set to false to skip service creation } steps { script { try { sshagent(credentials: [CREDS_ID]) { sh ''' # First, check if service already exists and remove it ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Write-Host 'Checking for existing service...'; try { \\\$service = Get-Service -Name 'HelloWorldApp' -ErrorAction SilentlyContinue; if(\\\$service) { Write-Host 'Stopping existing service...'; Stop-Service -Name 'HelloWorldApp' -Force -ErrorAction SilentlyContinue; Start-Sleep -Seconds 2; Write-Host 'Removing existing service...'; sc.exe delete HelloWorldApp | Out-Null; Start-Sleep -Seconds 2 } } catch { Write-Host 'No existing service found' }\\"" # Create Windows Service using sc.exe with proper error handling ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Write-Host 'Creating Windows Service...'; try { \\\$result = Start-Process -FilePath 'sc.exe' -ArgumentList 'create', 'HelloWorldApp', 'binPath=', 'C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe', 'start=', 'manual', 'DisplayName=', 'HelloWorld Application' -Wait -PassThru -NoNewWindow; if(\\\$result.ExitCode -eq 0) { Write-Host 'Service created successfully'; \\\$descResult = Start-Process -FilePath 'sc.exe' -ArgumentList 'description', 'HelloWorldApp', 'HelloWorld Application - Deployed via Jenkins CI/CD Pipeline' -Wait -PassThru -NoNewWindow; if(\\\$descResult.ExitCode -eq 0) { Write-Host 'Service description set successfully' } else { Write-Host 'Service created but description setting failed' }; Write-Host 'Service configuration completed' } else { Write-Host 'Service creation failed with exit code:' \\\$result.ExitCode } } catch { Write-Host 'Service creation encountered an error:' \\\$_.Exception.Message }\\"" # Verify service creation ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Write-Host 'Verifying service creation...'; try { \\\$service = Get-Service -Name 'HelloWorldApp' -ErrorAction SilentlyContinue; if(\\\$service) { Write-Host 'Service Status:' \\\$service.Status; Write-Host 'Service Name:' \\\$service.ServiceName; Write-Host 'Display Name:' \\\$service.DisplayName; Write-Host 'Service successfully registered' } else { Write-Host 'Service not found - creation may have failed' } } catch { Write-Host 'Service verification failed:' \\\$_.Exception.Message }\\"" # Set service to start automatically (optional) ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "powershell.exe -Command \\"Write-Host 'Configuring service startup...'; try { sc.exe config HelloWorldApp start= auto | Out-Null; Write-Host 'Service configured for automatic startup' } catch { Write-Host 'Service startup configuration failed' }\\"" ''' } echo "Service creation completed successfully" } catch (Exception e) { echo "Service creation encountered issues: ${e.getMessage()}" echo "Check if the application is compatible with Windows Service hosting" } } } } stage('Service Management') { when { expression { return true } // Set to false to skip service management } steps { sshagent(credentials: [CREDS_ID]) { sh ''' # Create service management scripts ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo @echo off > C:\\\\Apps\\\\HelloWorldApp\\\\start-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo echo Starting HelloWorldApp Service... >> C:\\\\Apps\\\\HelloWorldApp\\\\start-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo net start HelloWorldApp >> C:\\\\Apps\\\\HelloWorldApp\\\\start-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo echo Service started successfully >> C:\\\\Apps\\\\HelloWorldApp\\\\start-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo pause >> C:\\\\Apps\\\\HelloWorldApp\\\\start-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo @echo off > C:\\\\Apps\\\\HelloWorldApp\\\\stop-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo echo Stopping HelloWorldApp Service... >> C:\\\\Apps\\\\HelloWorldApp\\\\stop-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo net stop HelloWorldApp >> C:\\\\Apps\\\\HelloWorldApp\\\\stop-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo echo Service stopped successfully >> C:\\\\Apps\\\\HelloWorldApp\\\\stop-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo pause >> C:\\\\Apps\\\\HelloWorldApp\\\\stop-service.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo @echo off > C:\\\\Apps\\\\HelloWorldApp\\\\service-status.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo echo Checking HelloWorldApp Service Status... >> C:\\\\Apps\\\\HelloWorldApp\\\\service-status.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo sc query HelloWorldApp >> C:\\\\Apps\\\\HelloWorldApp\\\\service-status.bat" ssh -o StrictHostKeyChecking=no administrator@{WIN_SERVER_IP} "echo pause >> C:\\\\Apps\\\\HelloWorldApp\\\\service-status.bat" # Show final deployment structure ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "echo. && echo Deployment completed. Files created: && dir C:\\\\Apps\\\\HelloWorldApp" ''' } } } stage('Deployment Verification') { steps { sshagent(credentials: [CREDS_ID]) { sh ''' # Comprehensive deployment verification ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host '========================================'; Write-Host 'DEPLOYMENT VERIFICATION REPORT'; Write-Host '========================================'; Write-Host ''\\"" # 1. Verify application deployment ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host '1. APPLICATION DEPLOYMENT:'; if(Test-Path 'C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe') { Write-Host ' Status: DEPLOYED ✓'; \\\$file = Get-Item 'C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe'; Write-Host ' File size:' \\\$file.Length 'bytes'; Write-Host ' Last modified:' \\\$file.LastWriteTime; Write-Host ' Location: C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe' } else { Write-Host ' Status: NOT DEPLOYED ✗'; exit 1 }\\"" # 2. Verify code signature ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '2. CODE SIGNATURE VERIFICATION:'; \\\$sig = Get-AuthenticodeSignature 'C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe'; if(\\\$sig.SignerCertificate) { Write-Host ' Status: SIGNED ✓'; Write-Host ' Signer:' \\\$sig.SignerCertificate.Subject; Write-Host ' Valid from:' \\\$sig.SignerCertificate.NotBefore; Write-Host ' Valid until:' \\\$sig.SignerCertificate.NotAfter; Write-Host ' Hash Algorithm:' \\\$sig.HashAlgorithm; if(\\\$sig.TimeStamperCertificate) { Write-Host ' Timestamp: YES ✓' } else { Write-Host ' Timestamp: NO ✗' } } else { Write-Host ' Status: NOT SIGNED ✗' }\\"" # 3. Verify Windows Service (non-blocking) ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '3. WINDOWS SERVICE VERIFICATION:'; try { \\\$service = Get-Service -Name 'HelloWorldApp' -ErrorAction SilentlyContinue; if(\\\$service) { Write-Host ' Service Status:' \\\$service.Status; Write-Host ' Service Name:' \\\$service.ServiceName; Write-Host ' Display Name:' \\\$service.DisplayName; Write-Host ' Start Type: Automatic'; Write-Host ' Service: REGISTERED ✓' } else { Write-Host ' Service: NOT REGISTERED (Optional)' } } catch { Write-Host ' Service: VERIFICATION SKIPPED (Optional)' }\\"" # 4. Verify deployment structure (fixed escaping) ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '4. DEPLOYMENT STRUCTURE:'; \\\$files = @('HelloWorldApp.exe', 'config.txt', 'run.bat', 'start-service.bat', 'stop-service.bat', 'service-status.bat'); foreach(\\\$file in \\\$files) { if(Test-Path \\\\"C:\\\\Apps\\\\HelloWorldApp\\\\\\\$file\\\\") { Write-Host \\\\" \\\$file EXISTS ✓\\\\" } else { Write-Host \\\\" \\\$file MISSING ✗\\\\" } }\\"" # 5. Test application execution ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '5. APPLICATION EXECUTION TEST:'; try { \\\$output = & 'C:\\\\Apps\\\\HelloWorldApp\\\\HelloWorldApp.exe' 2>&1; Write-Host ' Execution: SUCCESS ✓'; Write-Host ' Output:' \\\$output } catch { Write-Host ' Execution: FAILED ✗'; Write-Host ' Error:' \\\$_.Exception.Message }\\"" # 6. Show file listing ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '6. DEPLOYMENT DIRECTORY CONTENTS:'; Get-ChildItem 'C:\\\\Apps\\\\HelloWorldApp' | Format-Table Name, Length, LastWriteTime -AutoSize\\"" # 7. Network accessibility test ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '7. SERVER ACCESSIBILITY:'; Write-Host ' Server IP: 172.31.91.18'; Write-Host ' Deployment Path: C:\\\\Apps\\\\HelloWorldApp'; Write-Host ' Remote Access: SSH ✓'\\"" # 8. Summary ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "powershell.exe -Command \\"Write-Host ''; Write-Host '========================================'; Write-Host 'DEPLOYMENT VERIFICATION COMPLETE'; Write-Host 'Core deployment: SUCCESS ✓'; Write-Host 'Application ready for use!'; Write-Host '========================================'\\"" ''' } } } stage('Cleanup Signing Script') { steps { sshagent(credentials: [CREDS_ID]) { sh ''' ssh -o StrictHostKeyChecking=no administrator@172.31.91.18 "del C:\\Users\\Administrator\\Desktop\\sign.ps1" ''' } } } } post { always { cleanWs() } success { echo 'Pipeline completed successfully!' } failure { echo 'Pipeline failed!' } } }
Once the pipeline completes successfully:
Navigate to the deployed application (e.g., C:\Apps\HelloWorldApp\HelloWorldApp.exe).
Right-click the file > Properties > Digital Signatures.
Select the Signature from the list and click on Details.
You will see the signer information and timestamp (issued by GlobalSign TSA).
Check your certificate installation for SSL issues and vulnerabilities.